ffeb57e7f334903e10bf3aa6177de7ef1e60abc1b1f41fd62270d462356dee2e

Analysis

max time kernel
145s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 19:56

Target

NEAS.73413470c47184652e368557aae83830.exe
Size

97KB
MD5

73413470c47184652e368557aae83830
SHA1

e790c54254dbc7cac041a5c1a413c6fcf8959ccb
SHA256

ffeb57e7f334903e10bf3aa6177de7ef1e60abc1b1f41fd62270d462356dee2e
SHA512

ecd7c935e88945ea4171084d867b4ee0800c477e3d775a02a652ce94e53ba298aeb5721d3be947c8ab018a75653436a5da462aca35254ef717adc98b9464135f
SSDEEP

1536:2QxRQHgur/cgllYSNW2F6Q95xdZrqlrmVS3:BRQAuwQ95xdZri3

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1032	yokitoki.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3444-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/3444-1-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/files/0x00090000000224ad-4.dat	upx
behavioral2/files/0x00090000000224ad-5.dat	upx
behavioral2/memory/1032-6-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	icanhazip.com

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 1032	3444	NEAS.73413470c47184652e368557aae83830.exe	86
PID 3444 wrote to memory of 1032	3444	NEAS.73413470c47184652e368557aae83830.exe	86
PID 3444 wrote to memory of 1032	3444	NEAS.73413470c47184652e368557aae83830.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.73413470c47184652e368557aae83830.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.73413470c47184652e368557aae83830.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\yokitoki.exe
  C:\Users\Admin\AppData\Local\Temp\yokitoki.exe
  2⤵
  - Executes dropped EXE
  PID:1032

C:\Users\Admin\AppData\Local\Temp\yokitoki.exe

Filesize
97KB

MD5
2d4e9f8307029a65b16a55131f0846dd

SHA1
5394eeb42837e6b3675b09a68243c579c8681e87

SHA256
6ec5adbb7d21b017927b15bf82977bc50fb11f3940edf968d734439c34339a3f

SHA512
3b0eceaeab4a77e4d7f68c839ef40efdfa90923d09532a5781d1e5149d2ed6f8e27c8c810530b8d7365fa182f91922335d35b0a28157045149368004a2832c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\yokitoki.exe

Filesize
97KB

MD5
2d4e9f8307029a65b16a55131f0846dd

SHA1
5394eeb42837e6b3675b09a68243c579c8681e87

SHA256
6ec5adbb7d21b017927b15bf82977bc50fb11f3940edf968d734439c34339a3f

SHA512
3b0eceaeab4a77e4d7f68c839ef40efdfa90923d09532a5781d1e5149d2ed6f8e27c8c810530b8d7365fa182f91922335d35b0a28157045149368004a2832c29

Download Submit
memory/1032-6-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3444-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3444-1-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download